Access Keys Will Kill You Before You Kill the Password

Presented at Black Hat USA 2016, Aug. 3, 2016, 4:20 p.m. (25 minutes).

AWS users, whether they are devops in a startup or system administrators tasked with migrating an enterprise service into the cloud, interact on a daily basis with the AWS APIs, using either the web console or tools such as the AWS CLI to manage their infrastructure. When working with the latter, authentication is done using long-lived access keys that are often stored in plaintext files, shared between developers, and sometimes publicly exposed. This creates a significant security risk as possession of such credentials provides unconditional and permanent access to the AWS API, which may yield catastrophic events in case of credentials compromise. This talk will detail how MFA may be consistently required for all users, regardless of the authentication method. Furthermore, this talk will introduce several open-source tools, including the release of one new tool, that may be used to allow painless work when MFA-protected API access is enforced in an AWS account.


Presenters:

  • Loic Simon - NCC Group
    Loïc Simon is a Principal Security Engineer at NCC Group US Security Consulting, a full-service security consulting company offering world class penetration testing, security systems development, security education and software design verification. For several years, Loïc has been specializing in AWS security, performing in-depth security reviews as well as architecture and design reviews for a variety of cloud-based systems. Loïc helped secure highly complex deployments involving thousands of instances and millions of objects by designing and implementing strict access controls requirements without impacting user's productivity. Loïc is the author of a variety of open-source tools developed to help assessing and hardening the security of AWS environments.

Links:

Similar Presentations: